b'\xc2\xa0\n\n\n\n\n    OFFICE OF THE\n    SECRETARY\n    Classified Information\n    Policies and Practices at the\n    Department of Commerce\n    Need Improvement\n\n    FINAL REPORT NO. OIG-13-031-A\n    SEPTEMBER 30, 2013\n\n\n\n    U.S. Department of Commerce\n    Office of Inspector General\n    Office of Audit and Evaluation\n\n    For Public Release\n\n\n\n\n\xc2\xa0\n\x0c\x0c                                                  Report In Brief                                      S E P T E MB E R 3 0 , 2 0 1 3\n\n\n\nBackground                               OFFICE OF THE SECRETARY\nExecutive Order (order) 13526,\n\xe2\x80\x9cClassified National Security In-        Classified Information Policies and Practices at the Department\nformation\xe2\x80\x9d prescribes a uniform          of Commerce Need Improvement\nsystem effective June 27, 2010,\nfor classifying, safeguarding, and       OIG-13-031-A\ndeclassifying national security\ninformation. In addition to con-         WHAT WE FOUND\ntrolling the amount and duration\n                                         We found that the Department has generally adopted policies, procedures, rules, and\nof classification and sharing classi-\n                                         regulations prescribed by order 13526. However, we identified areas where the Department\nfied information more freely,\n                                         could improve certain classification policies, procedures, rules, and regulations:\norder 13526 outlines mandatory\ntraining requirements for those            The Department must ensure its policies and practices are consistent with\nwith classification authority.             federal requirements.\n                                             Documents are not being received and reviewed timely for declassification or destruction. Our\nThe Department of Commerce\n                                             review of 61 classified documents found that 17 of them may have exceeded their\nis responsible for both imple-\n                                             declassification date and should have been referred for a declassification review. We\nmenting national policies and\n                                             found that a Department employee did not take action to request a mandatory\nestablishing Departmental poli-\n                                             declassification review of the documents that might have been inappropriately classified.\ncies to ensure that such infor-\nmation is adequately safeguarded             Derivative classification documents contained marking deficiencies. We reviewed 40\nwhen necessary and appropriate-              Department-generated classified documents and found that 15 derivatively generated\nly shared whenever possible.                 documents reviewed had marking deficiencies that did not follow order 13526\nWithin the Department, the Di-               requirements. These conditions occurred because the Office of Security neither (a)\nrector of the Office of Security is          provided adequate biennial training on applying derivative classification markings nor (b)\nresponsible for overseeing all secu-         had guidance in place complying with order 13526.\nrity management. The Department            Oversight and internal control processes need improvement.\nhas been proactively reducing the\n                                            Data reported in Security Manager were inaccurate. The Office of Security uses the Security\nnumber of classified documents.\n                                            Manager database to track and account for the entire Department\xe2\x80\x99s classified information.\nWhy We Did This Review                      However, for 14 of the 61 documents, we found that the data reported in Security\n                                            Manager were inaccurate.\nThe Reducing Over-Classification\nAct of 2010 (Public Law 111-258)            Poor inventory practices contributed to inaccurate information. The Office of Security requires\nmandates that each inspector gen-           that offices maintaining classified information conduct an annual inventory and review of\neral with an officer or employee            their classified holdings. However, we found that the offices who conducted the\nauthorized to make original classifi-       inventories could not provide evidence that they performed the inventory as required\xe2\x80\x94\ncation decisions conduct two eval-          and that the approaches these offices used in conducting the reviews were inconsistent.\nuations to promote the accurate\n                                         WHAT WE RECOMMEND\nclassification of information. The\nfirst evaluation must be completed       We recommend that the Director, Office of Security:\nby September 30, 2013; a second,          1. ensure that the document custodian take action to finalize the disposition of the three\nto be completed by September 30,              documents identified with expired declassification dates;\n2016, must review progress made           2. require container custodians to be responsible for the classified documents in the\nafter the first. Our audit objectives         container(s) they control;\nwere to (a) assess whether the\nDepartment\xe2\x80\x99s applicable classifica-       3. amend the Security Manual to align with the language in Executive Order 13526\ntion policies, procedures, rules, and         regarding markings on derivatively classified documents, as well as update biennial\nregulations have been adopted,                training on classification markings for derivatively generated documents;\nfollowed, and effectively adminis-        4. improve the process for entering accurate data into Security Manager and develop\ntered, and (b) identify what policies,        guidance addressing the processes to be followed for annual classified information\nprocedures, rules, regulations, and           inventory reviews; and\nmanagement practices may be               5. incorporate any relevant changes made as a result of recommendations in this report as\ncontributing to the misclassification         part of the Office of Security\xe2\x80\x99s annual reviews of the Department\xe2\x80\x99s classified\nof material.                                  information.\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                                                                            OFFICE OF INSPECTOR GENERAL\n\n\n\nContents\nIntroduction .......................................................................................................................................................1\xc2\xa0\nObjectives, Findings, and Recommendations .............................................................................................3\xc2\xa0\n   I.\xc2\xa0     Department Must Ensure Its Policies and Practices Are Consistent With Federal\n           Requirements .........................................................................................................................................4\xc2\xa0\n         A.\xc2\xa0 Documents Did Not Receive Timely Review for Declassification or Destruction ..........4\xc2\xa0\n         B.\xc2\xa0 Derivative Classification Documents Contained Marking Deficiencies ...............................5\xc2\xa0\n   II.\xc2\xa0 Oversight and Internal Control Processes Need Improvement ................................................7\xc2\xa0\n         A.\xc2\xa0 Data Reported in Security Manager Were Inaccurate ............................................................7\xc2\xa0\n         B.\xc2\xa0 Poor Inventory Practices Contributed to Inaccurate Information .......................................7\xc2\xa0\n   Recommendations ........................................................................................................................................8\xc2\xa0\nSummary of Agency Response and OIG Comments................................................................................9\xc2\xa0\nAppendix A: Objectives, Scope, and Methodology ................................................................................ 10\xc2\xa0\nAppendix B: Agency Response ................................................................................................................... 12\xc2\xa0\n\n\n\n\n                                                                                                                    COVER:\xc2\xa0Detail\xc2\xa0of\xc2\xa0fisheries\xc2\xa0pediment,\xc2\xa0\n                                                                                                           U.S.\xc2\xa0Department\xc2\xa0of\xc2\xa0Commerce\xc2\xa0headquarters,\xc2\xa0\n                                                                                                                   by\xc2\xa0sculptor\xc2\xa0James\xc2\xa0Earle\xc2\xa0Fraser,\xc2\xa01934\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                                      OFFICE OF INSPECTOR GENERAL\n\n\n\nIntroduction\nSince 1951, executive orders have directed government-wide classification standards and\nprocedures. Executive Order (order) 13526, \xe2\x80\x9cClassified National Security Information\xe2\x80\x9d\xe2\x80\x94signed\nby the President on December 29, 2009, and effective June 27, 2010\xe2\x80\x94prescribes a uniform\nsystem for classifying, safeguarding, and declassifying national security information. In addition to\ncontrolling the amount and duration of classification and sharing classified information more\nfreely among the executive branch and state, local, tribal, and private sector partners, order\n13526 outlines mandatory training requirements for those with original and derivative\nclassification authority. Pursuant to order 13526, the Information Security Oversight Office\n(ISOO)1 provided a directive stating that training requirements must consist of classification\nstandards, classification levels, classification authority, classification categories, duration of\nclassification, identification and markings, classification prohibitions and limitations, sanctions,\nclassification challenges, security classification guides, and information sharing.\n\nThe Reducing Over-Classification Act of 2010 (Public Law 111-258)2 mandates that the\ninspector general of each agency of the United States with an officer or employee authorized to\nmake original classification decisions conduct two evaluations to promote the accurate\nclassification of information. The first evaluation must be completed by September 30, 2013; a\nsecond evaluation, to be completed by September 30, 2016, must review progress made\npursuant to the results of the first. The Act\xe2\x80\x94designed to address the issues highlighted by the\nNational Commission on the Terrorist Acts Upon the United States about overclassification of\ninformation and to promote information sharing across the federal government and with state,\xc2\xa0\nlocal, tribal, and private sector entities\xe2\x80\x94states: \xe2\x80\x9c[O]ver-classification of information interferes\nwith accurate, actionable, and timely information sharing, increases the cost of information\nsecurity, and needlessly limits stakeholder and public access to information.\xe2\x80\x9d\n\nTwo significant changes to the classification program resulted from order 13526. First, classified\ninformation will be made accessible to the maximum extent possible to authorized holders.\nSecond, classified information originating in one agency may be disseminated to another agency\nor U.S. entity by any agency to which it has been made available without the consent of the\noriginating agency, as long as the recipients meet the criteria for authorized holders. However,\nthe originating agency may restrict dissemination by obtaining approval of the National Archives\nand Records Administration ISOO or the Director, National Intelligence, as applicable.\nThe Department of Commerce creates, receives, handles, and stores classified information as\npart of its mission. As a creator and user of classified information, the Department is\nresponsible for both implementing national policies and establishing Departmental policies to\nensure that such information is adequately safeguarded when necessary and appropriately\nshared whenever possible. With proper classification of classified products, the Department can\nshare more information with external stakeholders. Within the Department, the Director of\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  ISOO is responsible for policy oversight of the government-wide classification system. According to ISOO policy,\nthe receiving agency must treat the information the same way as original information.\n2\n  Enacted October 7, 2010.\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                                    1\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                              OFFICE OF INSPECTOR GENERAL\n\n\nthe Office of Security is responsible for overseeing all security management. The classified\ninformation results from original classification by Department officials, documents derived from\nother source documents, and documents from other agencies.\n\nAccording to order 13526, information determined to require protection from unauthorized\ndisclosure in order to prevent damage to national security must be marked appropriately to\nindicate its classification. The expected damage to national security that the original\nclassification authority is able to identify or describe as resulting from unauthorized disclosure\ndetermines the classification level:\n\n    \xef\x82\xb7   top secret\xe2\x80\x94exceptionally grave damage,\n\n    \xef\x82\xb7   secret\xe2\x80\x94serious damage, or\n\n    \xef\x82\xb7   confidential\xe2\x80\x94damage.\n\nFurther, according to order 13526, no other terms are to be used to identify U.S. classified\ninformation, except as otherwise provided by statute. If significant doubt exists about the need\nto classify or the appropriate level of classification, the information will either not be classified\nor classified at the lower level.\n\nOnly those authorized in writing by the President, the Vice President, agency heads, or other\nofficials designated by the President may originally classify information. These authorities must\nbe trained on proper classification prior to originally classifying information and at least once a\nyear thereafter. Derivative classification\xe2\x80\x94the incorporating, paraphrasing, restating, or generating\nin new form information that is already classified and marking the newly developed material\naccording to the source information\xe2\x80\x94includes the classification of information based on\nclassification guidance. Personnel who apply derivative classification markings must be trained to\napply the principles of order 13526 prior to derivatively classifying information and at least once\nevery 2 years thereafter. Information may be derivatively classified from a source document or\ndocuments, or by using a classification guide.\n\nBased on information provided by the Office of Security, the Department had more than\n42,000 classified documents in 2005. Since then, the Department has been proactively reducing\nthe number of classified documents. The Department presently has 122 security containers that\ncontain more than 4,800 classified documents\xe2\x80\x94about 37,000 documents have either been\ndestroyed or transferred outside the Department. The majority of the Department\xe2\x80\x99s classified\ndocuments are derivatively classified.\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                           2\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                                                  OFFICE OF INSPECTOR GENERAL\n\n\n\nObjectives, Findings, and Recommendations\nOur audit objectives were to (a) assess whether the Department\xe2\x80\x99s applicable classification\npolicies, procedures, rules, and regulations have been adopted, followed, and effectively\nadministered, and (b) identify what policies, procedures, rules, regulations, and management\npractices may be contributing to the misclassification of material. In this Department-wide audit,\nout of the 4,842 classified documents, we reviewed a random sample of 61. Forty3 were\nDepartment-generated documents, either original or derivative; as such, the Department had\nclassification authority. The remaining 21 documents were created and given to the\nDepartment by outside agencies. Appendix A further details the objectives, scope, and\nmethodology of our audit.\n\nWe found that the Department had generally adopted policies, procedures, rules, and\nregulations prescribed by order 13526. For example, the Department\n       \xef\x82\xb7      reduced the number of original classification authorities from 16 to 3,\n       \xef\x82\xb7      revised the Manual of Security Policies and Procedures4 (Security Manual) to include\n              ISOO-recommended changes, and\n       \xef\x82\xb7      updated the annual security education and training program content to include required\n              training of original classification authorities and derivative classifiers.\nHowever, we identified areas where the Department could improve certain classification\npolicies, procedures, rules, and regulations prescribed by order 13526 and the Department\n(see table 1).\n                               Table I. Summary of Findings by Number of Documents\n                                       Exceeded                 Potentially                           Recorded\n                                                                                Contained\n                                       Mandated                 Exceeded                            Inaccurately\n           Bureau                                                                Marking\n                                     Declassification          Classification                        in Security\n                                                                                Deficiencies\n                                          Date                     Date                               Manager\n           BIS                                      0                 0             11                   14\n           Office of the\n                                                    0                 0               3                   0\n           Secretary\n           NTIA                                     3               17                1                   0\n                     Total                          3               17              15                   14\n\n       Source: OIG\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n  Of the 40 documents, 30 were generated derivatively and 10 were original classification.\n4\n  The Security Manual, dated December 2012, establishes security policies and provides procedural guidance for the\neffective administration of security programs in the Department. Its provisions apply to all Departmental operating\nunits, offices, facilities, employees, contractors and associates, and others who have access to Departmental\nfacilities, information, personnel, or information technology systems.\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                                        3\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n\nFirst, we found that Department employees need to be more proactive in challenging classified\ndocuments that either exceeded or may have exceeded declassification dates and should have\nbeen referred to the originating agency for a declassification review. In addition, we found that\n15 documents had marking deficiencies in one or more of the required elements, such as\nmissing information on the classifier.\nFurther, we identified areas for which the Department could improve certain classification\npolicies and practices prescribed by the Security Manual. For instance, although the Office of\nSecurity uses the Security Manager database to track and account for the entire Department\xe2\x80\x99s\nclassified information, we found that data reported in Security Manager for 14 documents were\ninaccurate and incomplete.\xc2\xa0These inaccuracies highlight the need for improved control\nprocedures to ensure that classified information is properly accounted for and recorded in\nSecurity Manager.\nDepartment policy also requires that offices maintaining classified information conduct an\nannual inventory and review of their classified holdings. However, we found that these offices\ncould not provide evidence of performing these inventories. The deficiencies identified in this\naudit indicate that the inventories are not properly conducted. Reliable inventory reviews\nensure detection of possible documents in the custodians\xe2\x80\x99 possession that require downgrade,\ndeclassification, or destruction. Finally, we found that the Office of Security did not include\nadequate biennial training for derivative classifiers on how to apply derivative classification\nmarkings on documents.\nWithout improvements, the weaknesses identified may limit the Department\xe2\x80\x99s ability to make\ninformed risk-based decisions that support the protection of classified information and the\nsystem on which it resides. As such, we have made several recommendations that, if fully\nimplemented, should help enhance the Department\xe2\x80\x99s management of risk of overclassified\ninformation.\n\n  I.    Department Must Ensure Its Policies and Practices Are Consistent With\n        Federal Requirements\n\n    The Department has generally adopted\xe2\x80\x94but, in certain cases of classification, does not\n    effectively follow and administer\xe2\x80\x94policies, procedures, rules, and regulations prescribed by\n    order 13526. Specifically, we found that\n        \xef\x82\xb7    documents are not being received and reviewed timely for declassification or\n             destruction and\n        \xef\x82\xb7    derivative classification documents contained marking deficiencies.\n\n    A. Documents Did Not Receive Timely Review for Declassification or Destruction\n\n        Our review of 61 classified documents found that 17 documents, created and given to\n        the Department by an outside agency, may have exceeded their declassification date and\n        should have been referred to the originating agency for a declassification review.\n        Department officials stated that authorized holders of information (including holders\n        outside the classifying organization) who believe that a classification is improper are to\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                       4\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                               OFFICE OF INSPECTOR GENERAL\n\n\n        request a mandatory declassification review (MDR) by the originating agency or\n        originating classification authority.\n\n        However, we found that a Department employee did not take action to request this\n        MDR for classified documents that were held beyond the specified date that would\n        trigger such a review. A discussion with the employee who served as custodian for the\n        17 documents indicated that they were no longer being used or needed by Department\n        staff and could be potentially destroyed or declassified (i.e., sent for a declassification\n        review). Fifteen of these documents were 19\xe2\x80\x9345 years old (2 documents were not\n        dated). Of the 15 dated documents, 12 showed declassification dates ranging between\n        1993 through 1995. This could result in maintaining documents that could be made\n        available for public release, unnecessarily limiting disclosure and public access. Office of\n        Security personnel reported progress on encouraging Department staff to take action to\n        downgrade or destroy old or unneeded documents. However, the Office of Security\n        needs to continue communicating to employees the importance of forwarding\n        documents that have reached their declassification date for referral to the originating\n        agency or authority for declassification guidance.\n\n        In addition, we identified three derivatively classified documents that recently exceeded\n        their mandatory declassification date\xe2\x80\x94March 2012\xe2\x80\x94and should have been referred to\n        the originating agency for a declassification review. We brought this issue to the\n        attention of the document custodian, who was not aware that the declassification date\n        had expired. Although the custodian has contacted the outside agency, resolution\n        regarding the declassification of these documents has not yet taken place. These\n        examples by themselves do not indicate a systemic problem but may suggest that other\n        documents can run the same risk of exceeding their mandated declassification dates,\n        warranting improved agency management of this process. Failing to take timely action to\n        declassify documents could prevent federal agencies from sharing information internally,\n        with other agencies, and with state and local law enforcement, making it more difficult\n        to draw connections and anticipate threats.\n\n    B. Derivative Classification Documents Contained Marking Deficiencies\n\n        Order 13526 sets forth the specific conditions that must be met when making\n        classification decisions and outlines the procedures to properly mark and classify\n        documents. Derivative classifiers must identify themselves by name and position or\n        personal identifier, as well as observe original classification decisions and carry forward\n        the pertinent markings. Order 13526 also states that persons who apply derivative\n        classification markings shall receive training in the proper application of principles, with\n        an emphasis on avoiding overclassification, at least once every 2 years. We reviewed all\n        40 Department-generated classified documents and found that 15 derivatively generated\n        documents reviewed had marking deficiencies that were not in compliance with the\n        required document marking elements contained in order 13526 (see table 2).\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                      5\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                                     OFFICE OF INSPECTOR GENERAL\n\n\n          Table 2. Summary of Findings Documents with Marking Deficiencies\n                                                                                       Number of\n                                                                  Number of\n                                                                                     Documents That\n  Classification Criteria\xc2\xa0                                         Marking\n                                                                                      Could Not Be\n                                                                  Deficiencies\xc2\xa0\n                                                                                        Verified\xc2\xa0\n  Derivative classifier is identified by name and\n                                                                        10\xc2\xa0                  0\n  position or personal identifier\n  Derivative classifier observed and respected\n                                                                         2                   0\n  original classification\n  For a document derived from multiple sources,\n  the derivative classifier carried forward date or\n                                                                         1                   7\n  event that corresponds to longest period of\n  classification among the sources\xc2\xa0\n  Derivative classifier attached a listing of classified\n                                                                        10                   0\n  sources\n                                                    Total               23a\xc2\xa0                 7\n  Source: OIG\n  a\n    We identified a total of 15 documents that contained the 23 deficiencies.\n\n        For example, 10 were missing information on the classifier. Not naming the classifier\n        could call into question whether the individual had the proper authority to classify the\n        document. Further, order 13526 states that, in the event of multiple sources, the\n        derivative classifier will carry forward the date or event for declassification that\n        corresponds to the longest period of classification among the sources and list all the\n        source materials. For 7 documents, we could not verify the declassification date because\n        the source documents were not available or the source was not identified.\n\n        These conditions occurred because the Office of Security neither\n             \xef\x82\xb7   provided adequate biennial training for personnel responsible for applying\n                 derivative classification markings, nor\n             \xef\x82\xb7   had guidance in place complying with order 13526 requiring the name and\n                 position or personal identifier to be listed on the derivatively classified\n                 document.\n\n        Order 13526 requires that derivative classifiers receive training at least once every 2\n        years, with an emphasis on avoiding overclassification. However, we found that the\n        Office of Security did not include adequate training for derivative classifiers on how to\n        apply derivative classification markings on documents. On June 13, 2013, we brought\n        this matter to the attention of the Office of Security. Subsequently, an Office of Security\n        representative stated that they revised their training course to include applying\n        derivative classification markings for sessions beginning in FY 2014.\n\n        If employees with derivative classification authority do not receive proper guidance and\n        training on policies and procedures, classified documents, or portions of classified\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                           6\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                                          OFFICE OF INSPECTOR GENERAL\n\n\n              documents, may be improperly released; the authors of classified documents may be\n              unknown; and employees may not have all of the information necessary for\n              declassification.\n\n    II.       Oversight and Internal Control Processes Need Improvement\n\n          The Office of Security could improve certain classification policies and practices prescribed\n          in its Security Manual. Effective program management includes reliable information systems, a\n          comprehensive inspection program, and comprehensive training for classifiers. Specifically,\n          we found that\n\n              \xef\x82\xb7       data reported in Security Manager were inaccurate and\n\n              \xef\x82\xb7       poor inventory practices contributed to inaccurate information.\n\n          A. Data Reported in Security Manager Were Inaccurate\n\n              The Security Manual requires document classifiers to maintain records in Security\n              Manager concerning original and derivative classification actions. The Office of Security\n              uses the Security Manager database\xe2\x80\x94for which the Department has established\n              procedures to ensure accurate data input\xe2\x80\x94to track and account for the entire\n              Department\xe2\x80\x99s classified information. Servicing security offices5 or security contacts6 are\n              required to review records and reports to ensure the information submitted by\n              document classifiers is complete and accurate. Furthermore, as part of its yearly\n              document inspection program, the Office of Security verifies the accuracy of information\n              input into Security Manager. However, for 14 of the 61 documents, we found that the\n              data reported in Security Manager were inaccurate. For example, 12 documents had\n              been destroyed but Security Manager showed them as still in the inventory. In another\n              example, Security Manager showed that 1 document was located in the District of\n              Columbia when in fact it had been transferred to an office in California in July 2008. \xc2\xa0\n              These inaccuracies highlight the need for improved control procedures to ensure that\n              classified information is properly safeguarded, accounted for, and recorded in Security\n              Manager. Maintaining accurate data is an essential component of good oversight and\n              helps lead to informed decisions.\xc2\xa0\n\n          B. Poor Inventory Practices Contributed to Inaccurate Information\n\n              The Security Manual requires that offices maintaining classified information conduct an\n              annual inventory and review of their classified holdings, stating that (a) each document\n              must be visually inspected during the annual inventory to ensure it is complete or\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n  Servicing security offices implement and monitor compliance with Departmental security program activities in\nbureaus, operating units, and Departmental offices under their jurisdiction.\n6\n  A security contact is appointed by Departmental organizations to serve as a liaison to the Office of Security to\naddress all matters of security.\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                                        7\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\n\n        accounted for and (b) inventory results should be forwarded to the responsible office\xe2\x80\x99s\n        security contact. However, we found that the offices who conducted the inventories\n        could not provide evidence that they performed the inventory as required\xe2\x80\x94and that\n        the approaches these offices used in conducting the reviews were inconsistent. For\n        example, even though one office stated that it had performed the reviews, it had neither\n        documented nor reported the results. Another office stated that it had randomly\n        selected documents for review but verbally provided confirmation of their results to the\n        responsible office\xe2\x80\x99s security contact. Even though these offices stated reviews are being\n        performed, the deficiencies found in this report (e.g., three documents that had\n        declassification dates went unnoticed for more than a year; the disposition of destroyed\n        documents was not properly recorded in Security Manager) indicate that the inventories\n        are not properly conducted. The lack of specific guidance contributed to the\n        inconsistent approaches among the offices concerning how to perform their annual\n        inventory reviews. Reliable inventory reviews ensure detection of possible documents in\n        the custodians\xe2\x80\x99 possession that require downgrade, declassification, or destruction.\xc2\xa0\n\nRecommendations\n\nWe recommend that the Director, Office of Security:\n\n    1. ensure that the document custodian take action to finalize the disposition of the three\n       documents identified in the audit with expired declassification dates;\n\n    2. require container custodians to be responsible for the classified documents in the\n       container(s) they control and (a) promote and enforce user reviews of classified\n       documents, as well as (b) ensure custodians are trained and understand their\n       responsibilities to account for, control, and purge classified materials;\n\n    3. amend the Security Manual to align with the language in Executive Order 13526 that\n       requires the name and position or personal identifier to be listed on derivatively\n       classified documents, as well as update biennial training to include how to apply\n       classification markings on derivatively generated documents;\n\n    4. improve the process for entering accurate data into Security Manager and develop\n       guidance addressing the processes to be followed to conduct and document annual\n       classified information inventory reviews; and\n\n    5. incorporate any relevant changes made as a result of recommendations in this report as\n       part of the Office of Security\xe2\x80\x99s annual reviews of the Department\xe2\x80\x99s classified\n       information.\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                    8\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                        OFFICE OF INSPECTOR GENERAL\n\n\n\nSummary of Agency Response and\nOIG Comments\nOIG received the Department\xe2\x80\x99s comments on the draft report, which we include as appendix B\nof this final report. Based on the Department\xe2\x80\x99s review of the draft and subsequent discussions\nwith our office, we have made some changes to the language in the report. The Department\nconcurs with the findings and recommendations in the report.\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                9\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n\n\nAppendix A: Objectives, Scope, and\nMethodology\nThe objectives of our audit were to (a) assess whether the Department\xe2\x80\x99s applicable\nclassification policies, procedures, rules, and regulations have been adopted, followed, and\neffectively administered, and (b) identify what policies, procedures, rules, regulations, and\nmanagement practices may be contributing to the misclassification of material.\n\nTo accomplish our objectives, we obtained a list from the Department\xe2\x80\x99s Office of Security to\nidentify the population of classified documents. The Office of Security\xe2\x80\x99s list was generated from\nthe Security Manager data system, covering classified documents as of April 4, 2013. Initially, we\njudgmentally selected 74 out of 4,842 classified documents for review. However, we were not\nable to test 13 documents we intended to include in our audit because 12 documents had been\ndestroyed and 1 was transferred to another location outside the DC metro area.\nConsequently, we sampled 61documents\xe2\x80\x9440 of which were Department of Commerce\ngenerated and the remaining 21 were created and given to the Department by outside agencies.\nTop secret documents were not included within the scope of our audit of classified documents\ndue to the process necessary to access these records and the availability of properly cleared\nstaff.\n\nIn addition, we\n\n    \xef\x82\xb7   discussed management classification practices with the Office of Security and the four\n        regional offices (National Institute of Standards and Technology Security Office,\n        Gaithersburg, MD; Western Regional Security Office, Seattle, WA; Census Bureau\n        Security Office, Suitland, MD; and National Oceanic and Atmospheric Administration\n        Security Office, Silver Spring, MD);\n\n    \xef\x82\xb7   compared the Department\xe2\x80\x99s Security Manual policies with those required by Executive\n        Order (order)13526;\n\n    \xef\x82\xb7   evaluated the Department\xe2\x80\x99s management practices used to list and track the classified\n        documents and to train all staff that has the ability to derivatively classify documents;\n\n    \xef\x82\xb7   evaluated the Office of Security\xe2\x80\x99s internal controls; and\n\n    \xef\x82\xb7   coordinated our scope and methodologies with the other agency inspectors general.\n\nFurther, we obtained an understanding of the internal controls by evaluating Office of Security\nresponses to the statement of assurance for FYs 2011and 2012 and by interviewing Office of\nSecurity staff and assessing their adherence to the requirements in order 13526 and the\nDepartment of Commerce Manual of Security Policies and Procedures. While we identified and\nreported on internal control deficiencies, no incidents of fraud, illegal acts, violations, or abuse\nwere detected within our audit. We found weaknesses in the Department\xe2\x80\x99s controls related to\n(a) its inadequate action and annual statement of assurance responses and (b) the processes and\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                       10\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\n\nprocedures used to originally and derivatively classify documents and correctly maintain and\ninventory the documents in its classified containers.\n\nWe tested the reliability of the data provided in the Security Manager system by analyzing it for\nirregularities and inconsistencies such as missing data, misstatements, and other obvious errors.\nHowever, we did not have access to the IT system. While we noted discrepancies, they were\nnot a material representation of the entire population of information and, thus, we consider the\nsystem data sufficiently reliable for use in our audit.\n\nWe conducted the audit fieldwork between March 2013 and August 2013. We performed our\nfieldwork at the Department of Commerce, Office of Security and their regional offices at the\nCensus Bureau, Suitland, Maryland; the National Institute of Standards and Technology,\nGaithersburg, Maryland; and the National Oceanic and Atmospheric Administration in Silver\nSpring, Maryland.\n\nWe performed our work under the authority of the Inspector General Act of 1978, as\namended, and Department Organizational Order 10-13, August 31, 2006. We conducted this\naudit in accordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objectives. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\n\xc2\xa0                               \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                                                                   11\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE       OFFICE OF INSPECTOR GENERAL\n\n\n\nAppendix B: Agency Response\n\n\n\n\n                                                   \xc2\xa0\n\n\xc2\xa0                               \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                             12\n\x0c\xc2\xa0 U.S. DEPARTMENT OF COMMERCE   OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                \xc2\xa0\n\n011200000160\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-031-A                         13\n\x0c'